if()

Table of Contents

Definition
Examples
Further Reading

Definition

if() function takes a condition, a true value and a false value. If the result matches with the condition, true value is returned. If the result does not match with the condition, false value is returned.

Examples

The following example adds a new column called balanceStatus which shows either 'negative' or 'positive' depending on if the balance column has a negative or positive numerical value. spath is used to extract JSON content and fields to show only columns _time, balance, and balanceStatus.

index=crud earliest=-5y
| spath
| eval balanceStatus=if(balance<0, "negative", "positive")
| fields _time, balance, balanceStatus

Screenshot of the previous example’s result

if() is usually used together with other evaluation functions to make a more complex searches. The following example adds the value 'true' to every row that has 'ERROR' or 'error' in the Code column.

index=alert_examples earliest=-5y
| rex4j "code=(?<Code>\w+[^\s])"
| eval error=if(in(Code, "ERROR", "error"), "true", "false")
| fields _time, Code, error

Screenshot of the previous example’s result

Further Reading